The protection of natural persons in relation to the processing of personal data is a fundamental right that allows them to have control over their personal data, their use and destination, designed to avoid an illicit or abusive use that may affect the dignity and rights of those subjects concerned. Thus, this right is designed as a power to avoid that personal data are used for purposes other than those that justify their collection.

With the aim of promoting a more harmonized treatment of this fundamental right, the European Parliament and the Council approved in April 2016 the Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and the free movement of such data, which will be applicable as of 25 May 2018.

In this context, the Spanish Government published in June 2017 a Draft Law on personal data protection (APLOPD). This Draft Law, whose final version will repeal the current Law on data protection LOPD, aims at enhancing the regulatory framework of this fundamental right and adapting the Spanish legislation to the provisions set out in the GDPR.

The Technical Note produced by the Management Solutions’ R&D department summaries the content of this Draft Law.

Executive Summary

The main aspects of the GDPR that are addressed within the APLOPD are the following: principles, rights of natural persons, controllers and processors of data, international transfers of data, data protection authorities, and penalty regime.

Scope of application

The APLOPD applies to the processing of totally or partially automated personal data, as well as to the non-automated processing of personal data included or intended to be included in a filing system.

Main content

  • General provisions: i) scope of application (personal data under the scope and exceptions), and ii) data concerning deceased persons
  • Principles of data protection: i) general principles (e.g. accuracy, confidentiality) and ii) specific treatments (e.g. credit information systems, contact details)
  • Rights of natural persons: i) transparency, information of the subjects concerned; ii) exercise of rights (e.g. access, erasure, right to be forgotten); and iii) locking of data.
  • Controllers and processors of data: i) obligations of the controllers and processors, ii) recording of activities, iii) controllers of data, and iv) Data Protection Officer
  • International transfers of data: i) transfer regime, ii) approval by the Spanish data protection agency (AEPD), iii) prior authorization by the AEPD, and iv) previous information
  • Data protection authorities: i) AEPD; ii) regional authorities
  • Penalty regime: i) subjects responsible for the infringements, ii) slight, severe and very severe infringements, and iii) penalties

Download the technical note by clicking here (only in spanish)